Periodic Reporting for period 3 - AQUAS (Aggregated Quality Assurance for Systems)
Periodo di rendicontazione: 2019-05-01 al 2020-06-30
"See the complete overview “Detailed overview of AQUAS Results” - http://aquas-project.eu/documents/
The project AQUAS dealt with managing the interaction between safety, security and performance (SSP). This is a major problem for development and operation of embedded and future cyber-physical systems. Security features are necessary to ensure performance and safety in the face of attacks. However, conflicts may arise, e.g. when a security feature like encryption or authentication may slow down operation in ways that impair safety. Undetected conflicts are a special concern: they may require expensive redesign and/or product recalls, or cause mishaps (accidental or due to attacks), with harm to life and property, during operation of these products. Synergies are also possible between SSP, allowing savings, as when a precaution taken for safety also improves security. The automation also lowers certification costs for technology transfer.
So there is a need for Dependability Co-Engineering (DCE): managing SSP properties together at system level. This is difficult in current practice as SSP properties are covered by separate, specialised staff, methods and tools.Thus expected outputs from AQUAS are:
* a methodology supporting DCE for the entire PLC.
* application examples in five industrial use cases, supporting advances in current practices, methods and tools.
* analysis of the challenges for industry to adopt automated DCE and creating foundations.
* supporting evolution of relevant standards to account for the need for DCE.
For guidance in achieving these outputs we considered CE within a PLC phase, CE across all the PLC and finally how standards needed to evolve. Twelve objectives with metrics supported advancement.
To support uptake of DCE automation, major methodological advances were required. In AQUAS this is based on the concept of ""interaction points"" (IPs), points in the product lifecycle (PLC) when non-functional requirements of SSP are dealt with together, using suitable ""combined analysis"" (CA) methods, allowing identification of conflicts and synergies, and decisions to deal with them, supported by forecasts of their system-level SSP effects.
The AQUAS methodology seeks to both (1) improve system quality through holistic, system level SSP combined analyses and (2) do this cost-effectively by concentrating the CAs at the IPs alone, producing a low-overhead process for interaction between specialists and for crucial DCE-related decisions. This enables developers to:
- identify potential conflicts between SSP requirements of the system under development earlier in the lifecycle than would be otherwise possible;
- scope the space of trade-offs between SSP and seek acceptable compromises between the conflicting properties for the particular system;
- detect and exploit possible synergies between means for SSP;
- combine different CAs cost-effectively at each IP for better coverage of potential problems
- trace through the PLC the effects of decisions taken at each IP.
The work on methodology and uptake will lead to major societal enhancements: material living conditions, health, physical safety and for the environment."
The project AQUAS dealt with managing the interaction between safety, security and performance (SSP). This is a major problem for development and operation of embedded and future cyber-physical systems. Security features are necessary to ensure performance and safety in the face of attacks. However, conflicts may arise, e.g. when a security feature like encryption or authentication may slow down operation in ways that impair safety. Undetected conflicts are a special concern: they may require expensive redesign and/or product recalls, or cause mishaps (accidental or due to attacks), with harm to life and property, during operation of these products. Synergies are also possible between SSP, allowing savings, as when a precaution taken for safety also improves security. The automation also lowers certification costs for technology transfer.
So there is a need for Dependability Co-Engineering (DCE): managing SSP properties together at system level. This is difficult in current practice as SSP properties are covered by separate, specialised staff, methods and tools.Thus expected outputs from AQUAS are:
* a methodology supporting DCE for the entire PLC.
* application examples in five industrial use cases, supporting advances in current practices, methods and tools.
* analysis of the challenges for industry to adopt automated DCE and creating foundations.
* supporting evolution of relevant standards to account for the need for DCE.
For guidance in achieving these outputs we considered CE within a PLC phase, CE across all the PLC and finally how standards needed to evolve. Twelve objectives with metrics supported advancement.
To support uptake of DCE automation, major methodological advances were required. In AQUAS this is based on the concept of ""interaction points"" (IPs), points in the product lifecycle (PLC) when non-functional requirements of SSP are dealt with together, using suitable ""combined analysis"" (CA) methods, allowing identification of conflicts and synergies, and decisions to deal with them, supported by forecasts of their system-level SSP effects.
The AQUAS methodology seeks to both (1) improve system quality through holistic, system level SSP combined analyses and (2) do this cost-effectively by concentrating the CAs at the IPs alone, producing a low-overhead process for interaction between specialists and for crucial DCE-related decisions. This enables developers to:
- identify potential conflicts between SSP requirements of the system under development earlier in the lifecycle than would be otherwise possible;
- scope the space of trade-offs between SSP and seek acceptable compromises between the conflicting properties for the particular system;
- detect and exploit possible synergies between means for SSP;
- combine different CAs cost-effectively at each IP for better coverage of potential problems
- trace through the PLC the effects of decisions taken at each IP.
The work on methodology and uptake will lead to major societal enhancements: material living conditions, health, physical safety and for the environment."
The AQUAS consortium comprised 23 organisations (manufacturers and research and technology organisations).
DCE was explored via five demonstrators involving product development use cases in the domains of Air Traffic Management, Medical Devices, Rail, Industrial Automation and Space. This approach allowed AQUAS to (a) refine the methodology by creating concrete instances of it, in different companies and with different sets of CAs and supporting tools as appropriate for those companies, and (b) evaluate the methodology.
CA techniques and supporting tools were chosen for each use case, and improved according to the experience thus gained. Overall, 16 novel tool prototypes were produced, with 46 new tool features, to support the AQUAS methodology (CAs and IPs).
Last but not least, AQUAS recognised the benefits of standardisation for DCE and established collaborations to improve European and global standards, and to support uptake of AQUAS results (see http://aquas-project.eu/wp-content/uploads/2020/08/D19-Report-on-the-Evolution-of-CE-Standards-v2.0.1-1.pdf). For instance, CE-related gaps were analysed in various standards. AQUAS partners also contributed to updating IEC 61508-3 and IEC 61508-1/2, to require consideration of cybersecurity during Risk and Hazard Analysis phases, and follow-up processes if safety impacts of security threats are identified.
The lessons learned from AQUAS are summarised in a publicly available document (http://aquas-project.eu/wp-content/uploads/2020/07/AQUAS_D1.2_2nd_final.pdf).
AQUAS contributions are documented in 19 reports, 60 symposia and conferences, and 50 publications. The public reports are available at https://aquas-project.eu/documents/ and at https://cordis.europa.eu/project/id/737475/results.
DCE was explored via five demonstrators involving product development use cases in the domains of Air Traffic Management, Medical Devices, Rail, Industrial Automation and Space. This approach allowed AQUAS to (a) refine the methodology by creating concrete instances of it, in different companies and with different sets of CAs and supporting tools as appropriate for those companies, and (b) evaluate the methodology.
CA techniques and supporting tools were chosen for each use case, and improved according to the experience thus gained. Overall, 16 novel tool prototypes were produced, with 46 new tool features, to support the AQUAS methodology (CAs and IPs).
Last but not least, AQUAS recognised the benefits of standardisation for DCE and established collaborations to improve European and global standards, and to support uptake of AQUAS results (see http://aquas-project.eu/wp-content/uploads/2020/08/D19-Report-on-the-Evolution-of-CE-Standards-v2.0.1-1.pdf). For instance, CE-related gaps were analysed in various standards. AQUAS partners also contributed to updating IEC 61508-3 and IEC 61508-1/2, to require consideration of cybersecurity during Risk and Hazard Analysis phases, and follow-up processes if safety impacts of security threats are identified.
The lessons learned from AQUAS are summarised in a publicly available document (http://aquas-project.eu/wp-content/uploads/2020/07/AQUAS_D1.2_2nd_final.pdf).
AQUAS contributions are documented in 19 reports, 60 symposia and conferences, and 50 publications. The public reports are available at https://aquas-project.eu/documents/ and at https://cordis.europa.eu/project/id/737475/results.
The AQUAS methodology, as trialled in the AQUAS use cases (for details see http://aquas-project.eu/wp-content/uploads/2020/07/AQUAS_D1.2_2nd_final.pdf) offers these advances:
• shifting some DCE activities to take place earlier in the PLC, allowing early trade-off analyses and verification of system properties, reducing risk regarding both system operation and development costs,
• support by techniques for identifying SSP interdependencies, and early analysis of possible design improvements to mitigate risk.
The AQUAS techniques and tools are building blocks that adopter industrial organisations can combine into their own instantiations of the AQUAS methodology. The trial of tools in the AQUAS industrial use cases showed their general suitability for other applications where SSP is a critical blocking point.
The introduction of IPs together with CAs as part of the industrial process increases the confidence in system design and supports preparation for certification.
The cost of adoption of the methodology (studied by combining experience in the use cases with a cost model) was seen to be certainly non-zero, but outweighed by the substantial risk reduction offered.
Exploitation of AQUAS results is under way both by each partner individually and through collaboration. Collaboration agreements have been developed by some partners to build on the AQUAS results.
Use case owners are applying lessons from AQUAS in their organisations; method and tool providers are using the AQUAS basis for future research initiatives and advanced projects for their customers. Several AQUAS tools are available as Open Source (see https://aquas-project.eu/links/).
To support the process of adoption of AQUAS results and further DCE advances in industry, a committee is currently active to support discussions between the industrial research community and the funding and regulatory authorities. A public-private collaboration is considered as a next step towards DCE automation in industry.
In summary, AQUAS made important steps towards practical adoption of co-engineering of safety, security and performance (dependability co-engineering). It has made foundational advances on important technical aspects of DCE and also on non-technical ones, by structuring the interaction between specialisms within an organisation. These advances have both value for immediate use in industry now, and as a foundation for more extensive adoption of Dependability Co-Engineering and its automation.
• shifting some DCE activities to take place earlier in the PLC, allowing early trade-off analyses and verification of system properties, reducing risk regarding both system operation and development costs,
• support by techniques for identifying SSP interdependencies, and early analysis of possible design improvements to mitigate risk.
The AQUAS techniques and tools are building blocks that adopter industrial organisations can combine into their own instantiations of the AQUAS methodology. The trial of tools in the AQUAS industrial use cases showed their general suitability for other applications where SSP is a critical blocking point.
The introduction of IPs together with CAs as part of the industrial process increases the confidence in system design and supports preparation for certification.
The cost of adoption of the methodology (studied by combining experience in the use cases with a cost model) was seen to be certainly non-zero, but outweighed by the substantial risk reduction offered.
Exploitation of AQUAS results is under way both by each partner individually and through collaboration. Collaboration agreements have been developed by some partners to build on the AQUAS results.
Use case owners are applying lessons from AQUAS in their organisations; method and tool providers are using the AQUAS basis for future research initiatives and advanced projects for their customers. Several AQUAS tools are available as Open Source (see https://aquas-project.eu/links/).
To support the process of adoption of AQUAS results and further DCE advances in industry, a committee is currently active to support discussions between the industrial research community and the funding and regulatory authorities. A public-private collaboration is considered as a next step towards DCE automation in industry.
In summary, AQUAS made important steps towards practical adoption of co-engineering of safety, security and performance (dependability co-engineering). It has made foundational advances on important technical aspects of DCE and also on non-technical ones, by structuring the interaction between specialisms within an organisation. These advances have both value for immediate use in industry now, and as a foundation for more extensive adoption of Dependability Co-Engineering and its automation.